February’s spectacular $81m (then £54m) cyberheist against Bangladesh Bank and the global Swift bank messaging system was no one-off, a leaked letter has revealed.
According to the November letter seen by Reuters, hackers have successfully compromised the network since then to steal even more money.
How much was stolen or which institutions were involved is not mentioned but an official response to the letter described the attacks as “meaningful” in number, about a fifth of which had resulted in losses.
The letter admitted:
We unfortunately continue to see cases in which some of our customers’ environments are being compromised. […] The threat is very persistent, adaptive and sophisticated – and it is here to stay.
Attackers were also trying new tactics such as using remote support programs in order to access Swift terminals, the letter said.
None of this is a complete surprise but will raise anxiety another notch. In September, Gottfried Leibbrandt, Swift CEO, admitted the organisation had detected new attacks but said it was resisting them.
Mere weeks on from this pep talk, and 10 months after the Bangladesh Bank disaster, new losses are surfacing.
There have also been smaller documented attacks, including one on an Ecuadorian bank in 2015 that resulted in $12m in losses.
Bank cyberattacks can be divided broadly into three types: attacks on customers, attacks on institutions and attacks on the networks used by customers and institutions.
The first two get most of the publicity but the latter is the most serious because losses can undermine the system of trust on which global banking depends.
Swift is a good example of this, performing the job of managing payment instructions between 11,000 institutions in 200 counties. It doesn’t hold money but it does make its rapid movement possible.
Although funds can be stolen from banks in several ways, Swift has been identified by cybercriminals as a gatekeeper system whose compromise is helpful to their cause.
In the case of Bangladesh Bank, attackers broke into its network and got hold of the credentials they needed to initiate a series of transfers totalling almost $1bn.
Through a mixture of luck and prompt action by the Federal Reserve Bank of New York, most of the transfers were stopped but $81m slipped through checks. UK company BAE Systems later suggested that malware on Swift terminals had been used to cover the attackers’ tracks, buying time.
More recently, reports have surfaced that insiders at the bank might have aided the attack.
A complicating issue was attribution for what was nearly an unprecedented $1bn bank heist. At least one security company connected the malware used to other attempted bank attacks, and to the compromise of Sony Pictures in 2014. This seemed to imply North Korea’s involvement, a claim as extraordinary as it is – so far – unsubstantiated.